The Payment Card Industry Data Security Standard (PCI DSS) is a single approach by all card brands to safeguarding sensitive cardholder information. PCI DSS requires merchants to secure cardholder data in their virtual and/or physical environments. If you accept credit and or debit cards as a form of payment, you are required by the card associations to meet the PCI DSS requirements. To oversee standards for data security the card brands have created the PCI Security Standards Council. This organizations mission is to enhance data security through education and awareness.
Acumen has developed a DSS program to ensure all merchants regardless of level, verify they have met the mandated requirements of the security standards.
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (“DBA”).
Level                      Description
| 1 | Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. |
| 2 | Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year. |
| 3 | Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. |
| 4 | Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. |
| Build and Maintain a Secure Network |
|
1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data |
|
3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks |
| Maintain a Vulnerability Management Program |
|
5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures |
|
7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks |
|
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
| Maintain an Information Security Policy |
| 12. Maintain a policy that addresses information security |
| Level | Description | ||
| 1 | Any merchant- regardless of acceptance channel- processing over 6,000,000 V/MC transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that V/MC determines should meet the Level 1 merchant requirements to minimize risk to their systems. Any merchant identified by any payment card brand as Level 1 |
Comply with DSS | Required |
| On-Site Security Audit | Required Annually | ||
| Self-Assessment Questionnaire | |||
| Network Scans | Required Quarterly | ||
| Validated By | Qualified Data Security Company and Independent Scan Vendor | ||
| 2 | Any merchant processing 1,000,000 to 6,000,000 V/MC e-commerce transactions per year. | Comply with DSS | Required |
| On-Site Security Audit | |||
| Self-Assessment Questionnaire | Required Annually | ||
| Network Scans | Required Quarterly | ||
| Validated By | Merchant and Independent Scan Vendor | ||
| 3 | Any merchant processing 20,000 to 1,000,000 V/MC e-commerce transactions per year. | Comply with DSS | Required |
| On-Site Security Audit | |||
| Self-Assessment Questionnaire | Required Annually | ||
| Network Scans | Required Quarterly | ||
| Validated By | Merchant and Independent Scan Vendor | ||
| 4 | Any merchant processing fewer than 20,000 V/MC e-commerce transactions per year, and all other merchants processing up to 1,000,000 Visa transactions per year. | Comply with DSS | Required |
| On-Site Security Audit | |||
| Self-Assessment Questionnaire | Required Annually | ||
| Network Scans | Recommended Annually | ||
| Validated By | Merchant |
In the event of a security incident, merchants must take immediate action to:
Merchant Account Provider
Merchant Bank
Visa Fraud Control Group at (650) 432-2978
Local FBI Office
U.S. Secret Service (if Visa payment data is compromised)